From 9f7103359b06b3cd7bff6073edf18142c21cef9a Mon Sep 17 00:00:00 2001 From: Bojan Suzic Date: Thu, 17 Apr 2014 17:49:50 +0200 Subject: refactoring again --- .../id/protocols/stork2/AuthenticationRequest.java | 170 ++++++++++----------- 1 file changed, 84 insertions(+), 86 deletions(-) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java index dc30e4e12..599d0c302 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/stork2/AuthenticationRequest.java @@ -19,7 +19,9 @@ import org.apache.velocity.Template; import org.apache.velocity.VelocityContext; import org.apache.velocity.app.VelocityEngine; import org.apache.velocity.runtime.RuntimeConstants; -import org.opensaml.common.impl.SecureRandomIdentifierGenerator; +import org.opensaml.saml2.core.AudienceRestriction; +import org.opensaml.saml2.core.impl.AudienceRestrictionBuilder; +import org.opensaml.saml2.core.impl.AudienceRestrictionImpl; import org.w3c.dom.Element; import org.w3c.dom.NamedNodeMap; @@ -27,7 +29,8 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.io.StringWriter; -import java.security.NoSuchAlgorithmException; +import java.net.MalformedURLException; +import java.net.URL; /** @@ -49,12 +52,7 @@ public class AuthenticationRequest implements IAction { this.moaSession = moasession; - Logger.info("CPEPS " + AuthConfigurationProvider.getInstance().getStorkConfig().getCPEPS("SI").getPepsURL().toString()); - - - //AuthConfigurationProvider.getInstance().getStorkConfig().getCpepsMap(). - - if ((req instanceof MOASTORKRequest) && !((MOASTORKRequest) req).getStorkAuthnRequest().getCitizenCountryCode().equals("SI")) { + if ((req instanceof MOASTORKRequest) && ((MOASTORKRequest) req).getStorkAuthnRequest().getCitizenCountryCode().equals("AT")) { this.moaStorkRequest = (MOASTORKRequest) req; @@ -78,20 +76,18 @@ public class AuthenticationRequest implements IAction { Logger.debug("Starting AuthenticationRequest"); moaStorkResponse.setSTORKAuthnResponse(new STORKAuthnResponse()); - STORKSAMLEngine engine = STORKSAMLEngine.getInstance("VIDP"); Logger.debug("Starting generation of SAML response"); try { moaStorkResponse.setSTORKAuthnResponse(engine.generateSTORKAuthnResponse(moaStorkRequest.getStorkAuthnRequest(), moaStorkResponse.getStorkAuthnResponse(), httpReq.getRemoteAddr(), false)); } catch (STORKSAMLEngineException ex) { - // TODO + Logger.error("Failed to generate STORK SAML Response", ex); + throw new MOAIDException("stork.05", null); // TODO } // Get personal attributtes from MOA/IdentityLink moaStorkResponse.setPersonalAttributeList(populateAttributes()); - - } //moaStorkResponse.setCountry(moaStorkRequest.getSpCountry()); @@ -110,60 +106,66 @@ public class AuthenticationRequest implements IAction { container.setRemoteAddress(httpReq.getRemoteAddr()); - - STORKAuthnResponse arep = moaStorkResponse.getStorkAuthnResponse(); - - - arep.setCountry("XX"); - arep.setInResponseTo("xxxx"); - arep.setMessage("xxxx"); - arep.setSamlId("xxxx"); - arep.setStatusCode("xxxx"); - - // arep.setNotBefore(new DateTime().withTimeAtStartOfDay()); - // arep.setNotOnOrAfter(new DateTime().withTimeAtStartOfDay()); - - Logger.debug("Data container prepared"); return (new AttributeCollector()).processRequest(container, httpReq, httpResp, moasession, oaParam); - } // check if we are getting request for citizen of some other country - else if ((req instanceof MOASTORKRequest) && ((MOASTORKRequest) req).getStorkAuthnRequest().getCitizenCountryCode().equals("SI")) { - - // - generate new key - String artifactId = null; - try { - artifactId = new SecureRandomIdentifierGenerator().generateIdentifier(); - } catch (NoSuchAlgorithmException e) { - e.printStackTrace(); - } - + } + // check if we are getting request for citizen of some other country + else if (req instanceof MOASTORKRequest) { STORKAuthnRequest spAuthnRequest = ((MOASTORKRequest) req).getStorkAuthnRequest(); - STORKAuthnRequest storkAuthnRequest = new STORKAuthnRequest(); + STORKAuthnRequest storkAuthnRequest = null; + + String citizenCountryCode = spAuthnRequest.getCitizenCountryCode(); + Logger.info("Got authentication request for citizen of " + citizenCountryCode); try { storkAuthnRequest = (STORKAuthnRequest) spAuthnRequest.clone(); } catch (CloneNotSupportedException e) { - e.printStackTrace(); + Logger.error("Could not clone AuthnRequest ", e); + throw new MOAIDException("stork.05", null); // TODO } - storkAuthnRequest.setIssuer("VIDP"); - storkAuthnRequest.setAssertionConsumerServiceURL("https://vm-stork2-vidp:8443/moa-id-auth/stork2/SendPEPSAuthnRequest"); - storkAuthnRequest.setSamlId(artifactId); - String publicURLPrefix = AuthConfigurationProvider.getInstance().getPublicURLPrefix(); - if (publicURLPrefix == null) - throw new AuthenticationException("stork.12", new Object[]{moasession.getPublicOAURLPrefix()}); + // check if citizen country is configured in the system + if (!(AuthConfigurationProvider.getInstance().getStorkConfig().getCpepsMap().containsKey(citizenCountryCode))) { + Logger.error("Citizen country PEPS not configured in MOA instance: " + citizenCountryCode); + throw new MOAIDException("stork.05", null); // TODO + } + // extracting basic settings and adjusting assertion consumer + String issuer = null; + String assertionConsumerURL = null; + String publicURLPrefix = null; + String destinationURL = null; - DataContainer originalRequest = new DataContainer(); - originalRequest.setRequest((MOASTORKRequest) req); + try { + issuer = new URL(AuthConfigurationProvider.getInstance().getPublicURLPrefix()).toString(); + destinationURL = AuthConfigurationProvider.getInstance().getStorkConfig().getCPEPS(citizenCountryCode).getPepsURL().toString(); + publicURLPrefix = AuthConfigurationProvider.getInstance().getPublicURLPrefix(); + assertionConsumerURL = publicURLPrefix + "/stork2/SendPEPSAuthnRequest"; + } catch (MalformedURLException ex) { + Logger.error("Wrong PublicURLPrefix setting of MOA instance: " + AuthConfigurationProvider.getInstance().getPublicURLPrefix(), ex); + throw new MOAIDException("stork.05", null); // TODO + } catch (Exception ex) { + Logger.error("Problem with PEPS configuration of MOA instance.", ex); + throw new MOAIDException("stork.05", null); // TODO + } - // preparing redirection for the client + // drop if we do not have publicprefix url configured on the instance + if (publicURLPrefix == null) + throw new AuthenticationException("stork.12", new Object[]{moasession.getPublicOAURLPrefix()}); - //STORKAuthnRequest storkAuthnRequest = new STORKAuthnRequest(); + // adjusting request + storkAuthnRequest.setEIDCrossBorderShare(spAuthnRequest.isEIDCrossBorderShare()); + storkAuthnRequest.setEIDSectorShare(spAuthnRequest.isEIDSectorShare()); + storkAuthnRequest.setEIDCrossSectorShare(spAuthnRequest.isEIDCrossSectorShare()); + storkAuthnRequest.setCitizenCountryCode(spAuthnRequest.getCitizenCountryCode()); + storkAuthnRequest.setIssuer(issuer); + storkAuthnRequest.setAssertionConsumerServiceURL(assertionConsumerURL); + storkAuthnRequest.setDestination(destinationURL); + // regenerate request try { //Get SAMLEngine instance STORKSAMLEngine engine = STORKSAMLEngine.getInstance("VIDP"); @@ -177,49 +179,26 @@ public class AuthenticationRequest implements IAction { throw new MOAIDException("stork.05", null); } + // store original request from SP in order to be able to extract it in later iteration/response + DataContainer spRequestContainer = new DataContainer(); + spRequestContainer.setRequest((MOASTORKRequest) req); - // store original request from sp in order to be able to extract it in later iteration/response try { - AssertionStorage.getInstance().put(storkAuthnRequest.getSamlId(), originalRequest); - Logger.info("Storing artifactId " + storkAuthnRequest.getSamlId() + " of SP authentication request"); + AssertionStorage.getInstance().put(storkAuthnRequest.getSamlId(), spRequestContainer); + Logger.info("Storing artifactId " + storkAuthnRequest.getSamlId() + " of SP authentication request with id " + spAuthnRequest.getSamlId()); } catch (MOADatabaseException e) { e.printStackTrace(); } - byte[] blob; - try { - - VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine(); - Template template = velocityEngine.getTemplate("/resources/templates/stork2_postbinding_template.html"); - VelocityContext context = new VelocityContext(); - blob = storkAuthnRequest.getTokenSaml(); - - context.put("SAMLRequest", PEPSUtil.encodeSAMLToken(blob)); - Logger.debug("SAMLRequest original: " + new String(blob)); - - Logger.debug("Putting url as action: " + "https://peps-test.mju.gov.si/PEPS/ColleagueRequest"); - context.put("action", "https://peps-test.mju.gov.si/PEPS/ColleagueRequest"); - Logger.debug("Starting template merge"); - StringWriter writer = new StringWriter(); - - Logger.debug("Doing template merge"); - template.merge(context, writer); - Logger.debug("Template merge done"); - - Logger.debug("Sending html content: " + writer.getBuffer().toString()); - Logger.debug("Sending html content2 : " + new String(writer.getBuffer())); - - httpResp.getOutputStream().write(writer.getBuffer().toString().getBytes()); - - } catch (Exception e) { - Logger.error("Velocity error: " + e.getMessage()); - } + // preparing redirection for the client + performRedirection("SAMLRequest", destinationURL, storkAuthnRequest.getTokenSaml(), httpResp); return "xxxx";// TODO - } else if ((req instanceof MOASTORKResponse)) { - // Check if we got the response from PEPS - // If so then process it and forward to SP + } + // Check if we got the response from PEPS + // If so then process it and forward to SP + else if ((req instanceof MOASTORKResponse)) { return handleMOAStorkResponse("VIDP", (MOASTORKResponse) req, httpReq.getRemoteAddr(), httpResp); } else { Logger.error("Could not recognize request."); @@ -227,6 +206,11 @@ public class AuthenticationRequest implements IAction { } } + + private String handleMOAStorkRequest(String instanceName, MOASTORKRequest moastorkRequest, String remoteAddr, HttpServletResponse httpResp) { + + } + /* Handles STORKAuthnResponse received from PEPS (return to SP) */ @@ -257,6 +241,10 @@ public class AuthenticationRequest implements IAction { // setting new reference request and return url authnResponse.setInResponseTo(dataContainer.getRequest().getStorkAuthnRequest().getSamlId()); authnResponse.setAudienceRestriction(dataContainer.getRequest().getAssertionConsumerServiceURL()); + //AudienceRestrictionBuilder audienceRestrictionBuilder = new AudienceRestrictionBuilder(); + //AudienceRestriction audienceRestriction = audienceRestrictionBuilder.buildObject(dataContainer.getRequest().getAssertionConsumerServiceURL(), "localname", "nameprefix"); + + //authnResponse.getAssertions().get(0).getConditions().getAudienceRestrictions().add(audienceRestriction); Logger.debug("Starting generation of SAML response"); try { @@ -372,11 +360,21 @@ public class AuthenticationRequest implements IAction { public boolean needAuthentication(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp) { + // authentication is not needed if we have authentication request from SP for citizen of configured PEPS country if (req instanceof MOASTORKRequest) { - if (((MOASTORKRequest) req).getStorkAuthnRequest().getCitizenCountryCode().equals("SI")) { - return false; - + MOASTORKRequest moastorkRequest = (MOASTORKRequest) req; + if (moastorkRequest.getStorkAuthnRequest() != null) { + String citizenCountryCode = moastorkRequest.getStorkAuthnRequest().getCitizenCountryCode(); + // check if citizen country is configured in the system + try { + if (AuthConfigurationProvider.getInstance().getStorkConfig().getCpepsMap().containsKey(citizenCountryCode)) { + return false; + } + } catch (MOAIDException e) { + Logger.error("Could not initialize AuthConfigurationProvider"); + } } + // authentication is not required if received authentication response } else if (req instanceof MOASTORKResponse) { return false; } -- cgit v1.2.3